Session-less protected REST APIs

This article describes session-less services in the Loginapp REST API's protected REST API.

  • It applies to the following end-points:
  • All end-points under: /protected/my/.
  • The end-point /protected/secret-questions.

For most of the session-less protected REST APIs, there is a corresponding flow-based API in the Protected self-service REST APIs.
Whenever possible, prefer the flow-based variant over the services listed here.

Authentication and authorization

Requests to the session-less protected REST APIs need to be authenticated and authorized. The corresponding configuration is:

Loginapp >> Session-less REST Endpoints >> Request Authentication and Request Authorization.

  • Request Authentication: Defines how users or REST clients are authenticated (e.g. Basic Auth, client certificates, or OAuth tokens).
  • See Authentication of REST requests for more information about request authentication.

  • Access Controller: Defines what services are accessible by the authenticated user or REST client.
    • The following plugins are available:
    • "Resource Access Controller": role-based access policy based on REST resource paths (e.g. rules like " IF $user has role 'admin' THEN allow POST on path /protected/xxx")
    • "Enabling All Access Controller": use this plugin to disable authorization and allow all services to authenticated users.

You may use the Airlock Gateway's one-shot authentication flow to secure the protected API upfront.

  • This has the following security advantages:
  • Authentication enforcement and coarse-grained access control are done on the Airlock Gateway
  • The API may be strictly enforced using the Airlock Gateways "API enforcement" feature

To do so, proceed as follows:

  • Setup the one-shot authentication flow according to HTTP request authentication (One-Shot flow)
  • Use an identity propagator to transport the verified user identity to the IAM REST API
  • Use a request authentication plugin to authenticate the propagated identity.
  • On the Airlock Gateway, create a separate mapping for the protected APS (as described in Airlock Gateway for Airlock IAM configuration)
    • Enable API Enforcement
    • Restrict access to specific roles.

Service List



Config path relative to Loginapp >> Session-less REST Endpoints

Password Change

Allows a user to change the password.

User Self-Service Settings >> Password Settings

User Information

Returns information about the authenticated user.

User Self-Service Settings >> User Information Self-Service)

mTAN Self-Service

List stored MTAN numbers (mobile phone numbers), change MTAN meta-data (e.g. label), and change MTAN number (involves sending an OTP to the new number, and verifying it).

User Self-Service Settings >> mTAN Self-Service (Legacy)

Cronto Self-Service

Self-service to order Cronto activation letters.

User Self-Service Settings >> Cronto Self-Service (Legacy)

Secret Questions

List possible questions and store answers to secret questions.

User Token Settings >> Secret Question Settings

Device Token Registration

User Token Settings >> Device Registration Settings